Top Tweets for #BlueTeamTips
@daaximus Insane you publish that!!1๐คฌ
Luckily:
function Protect-PeFromPebWalk{param($path)
$f=[IO.File]
$d=$f::ReadAllBytes($path)
$o=[BitConverter]::ToUInt32($d,60)
$d[$o+22]=$d[$o+22]-band 223
$d[$o+95]=$d[$o+95]-band 191
$f::WriteAllBytes($path,$d)}
#blueteamtips #LAA #cfguard #rust
Blue teamers,
Crowdstrike and MDE detection combinations will eventually ransomware your hosts. Delete one or the other, or better yet both.
Follow me for more great #BlueTeamTips
@dcuthbert Block risky egress like ftp, smb, ssh etc , monitor dns for weird shit like mega upload etc. #BlueTeamTips
#dfirtip #blueteamtips
A friend of mine @yamatosecurity introduced to me his new swiss army knife tool to help us #dfir folks in investigating windows event logs. It was written in PowerShell and can provide tons of stuff + sigma rules integration!
https://t.co/omIDQRJECV
Did you ever have to investigate data exfil by multiple adversaries that used different versions of WinRAR for data exfil? You might get lucky and be able to use the one-liner below to map the .rar files found to the approx. WinRAR version used by each adversary.
#BlueTeamTips
Did you know that @ReversingLabs is so kind to put their Yara rules publicly available? Now, why do I care? Its bec. you can add those amazing Yara rules and add them to your thor-lite for easy spotting of anomalies. Thanks to @thor_scanner
#dfir #malware #blueteamtips #Yara
One of the best guides I read from last year. Some great tips on handling incidents, quick wins and system hardening. IR playbook.
๐ Technical Approaches to Uncovering and Remediating Malicious Activity
https://t.co/2ZZTbRltiG
#DFIR #BLUETEAMTIPS
When looking for priv esc, ever thought strings /usr/local/bin/vuln_bin prints too much nonsense? Try adding this after strings:
| egrep -v "^\.|^\_|GLIB"
Cuts out a lot of the nonsense & saves paging through stuff. CC:@mrb3n813 @mrsb3n @RoadRunnerHacks @egre55 #BlueTeamTips
Before I took my #GCFE exam, I did a playlist of all @13CubedDFIR videos. I even play these videos while I'm eating my lunch, washing dishes etc. This YT channel helps me to understand deeper the different arfiacts. Great channel indeed by @davisrichardg
#dfir #blueteamtips
20,000. Thank you! ๐โฅ๏ธ๐
When piecing together evidence of RDP connections, 2 event IDs can provide significant value. 4778 indicates that RDP session was reconnected, 4779 indicates that a remote session was disconnected. Part of tracking account usage RDP
#blueteamtips #threathunting #DFIR #infosec
When hunting for renamed binaries like PowerShell, make sure to check the description if it matches the real binary name. Ex. of this is the desc would be "Windows Powershell" and the image name is not powershell.exe"
#blueteamtips #ThreatHunting #dfir #malware #infosecurity
When hunting PPID Spoofing, make sure to check for inconsistencies between the various fields that store PPID information. ETW provides event header, processId identifies the actual parent process.
#blueteamtips #threathunting #DFIR #incidentresponse
Curious on how to perform a hunt for obfuscated PowerShell code using XOR? We'll be looking at event ID 4104 and XOR usage involves the operators โcharโ, โbxorโ and โjoinโ
winlog.event_data.ScriptBlockText:(*bxor* AND *join*)
#blueteamtips #threathunting #DFIR #incidentresponse
You want a quick win memory analysis of the suspected memory dump infected with mimikatz? Perform a quick strings with grep "Invoke-"
#blueteamtips #threathunting #malware #DFIR
One of my fundamentals.
Understanding your infrastructure is key to securing it. I used to create โsite bubblesโ highlighting key servers/devices/subnets. I repeated this until I had a complete overview.
#BLUETEAMTIPS
Drawing good architecture diagrams https://t.co/z0yjwNeeUO
#blueteamtips Did you know that Windows 10 has introduced 2 new events which are quite interesting for hunting account discovery:
4798 โ A userโs local group membership was enumerated
4799 โ A security-enabled local group membership was enumerated
#DFIR #threathunting #Forensics
#blueteamtips Once script block logging is enabled as part of your PowerShell auditing, make sure to check those PS commands spelled backward as part of their 2nd obfuscated command
#threathunting #DFIR #incidentresponse #infosec
#blueteamtips you gotta make sure that PS logging such as script block logging & module logging is enabled to give you insights of PowerShell scripts. Event ID 4104 / 4103 are your best friends!
#threathunting #DFIR #cyberdefense
Found a new way to trap attackers if they pop a shell
$ echo โviโ >> ~/.bashrc
#BlueTeamTips #blueteam #togetherwehitharder #linux #cybersecurity #infosec #security #hacker #whitehat #cissp
Found a way to privesc in Linux.
Try it, it works.
$ su
#BugBountyTips #bugbounty #togetherwehitharder #linux #cybersecurity #infosec #hackerone #bugcrowd #security #redteam #hacker
Last Seen Hashtags on Sotwe
ๅๅทฎๆฏ็
Seen from United States
ActivatorFridays
Seen from United States
TransactionClarity
Seen from United States
็ฐๅข็ตต็ปใณใณใฏใผใซ
Seen from Japan
เธงเธฒเธเธฃเธเธดเธงเธฒเธช
Seen from Thailand
TheAmazingWorldOfGumball
Seen from Argentina
momson()+*+*+filter:native_video
Seen from Egypt
edipo
Seen from Argentina
czechpilsner
Seen from United States
momson momson
Seen from United States
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.3M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
87M followers
Taylor Swift
@taylorswift13
80.8M followers
Lady Gaga
@ladygaga
72.4M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
68.8M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.5M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.1M followers